System and method for securing applications through an application-aware runtime agent

ABSTRACT

A system and method for securing an application through an application-aware runtime agent can include: acquiring a code profile, instrumenting the application with a runtime agent according to the code profile, enforcing the runtime agent on the execution of the application, and responding to the runtime agent. Enforcing the runtime agent on the execution of the application can include monitoring the execution flow, which comprises of monitoring the utilization of the controls through the execution of the application; detecting a threat, which comprises identifying a section of the execution flow as a potential security threat; and regulating the execution flow to prevent or ameliorate the security threat. Responding to the runtime agent can include responding to the security threat and providing a user interface that may output runtime agent diagnostics and trigger alerts.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Continuation application which claims the benefitof U.S. patent application Ser. No. 14/154,151, filed on 8 Oct. 2018,which claims the benefit of U.S. Provisional Application No. 62/569,524,filed on 7 Oct. 2017, both of which are incorporated in their entiretyby this reference.

TECHNICAL FIELD

This invention relates generally to the field of application security,and more specifically to a new and useful system and method for securingapplications through an application-aware runtime agent.

BACKGROUND

Security of applications is an ever-increasing challenge for our modernworld. Software vulnerabilities, exploits, and attacks are seriousthreats to businesses and individuals as more and more operations dependon these software applications.

Securing an application can be challenging however. Many solutionsintroduce performance problems and/or introduce bottlenecks in thedevelopment process. With modern development processes where code isfrequently pushed to production, such solutions fail to keep pace.Another challenge is that operators of the applications are oftenremoved from the development process and lack an easy way tointerpreting events in a live application. Thus, there is a need in theapplication security field to create a new and useful system and methodfor securing applications through an application-aware runtime agent.This invention provides such a new and useful system and method.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a flowchart representation of a method of a preferredembodiment;

FIGS. 2A-2C is a schematic representation of an exemplary implementationof monitoring execution flow;

FIGS. 3A-3F are exemplary screenshot representations of dashboard views;

FIG. 4 is a schematic representation of an implementation of a system ofa preferred embodiment; and

FIG. 5 is a schematic representation of a multi-instance variation ofthe system.

DESCRIPTION OF THE EMBODIMENTS

The following description of the embodiments of the invention is notintended to limit the invention to these embodiments but rather toenable a person skilled in the art to make and use this invention.

Overview

A system and method for securing applications through anapplication-aware runtime agent functions to use interpretation ofapplication code in partially defining approaches to monitoring and/orenforcing policy on the application during active use.

The system and method preferably rely on a code profile that is at leastpartially derived from application code. In particular, the code profileincludes a code property graph that defines the application as a numberof graphs that define behavior of the underlying code. The code profileand a security profile dictionary are preferably leveraged duringoperation of the application to selectively direct a runtime agent tomonitor and enforce policy to secure an application-specific set ofattack vectors. In particular, the system and method enable a runtimeagent that is particularly targeted to securing the execution of anapplication based on underlying code as characterized by a code profile.

The system and method is preferably implemented in connection with amulti-tenant cloud-hosted platform that facilitates use ofinstantiations of the system and method with applications from varioussources. Distinct application developers and administrators can use thesystem and method that both rely on the cloud-hosted platform.Additionally, distinct application developers and administrators may usethe system and method individually or in concert. In particular, theplatform can offer a web-based dashboard (accessible over the web, anapplication, and/or an API) to see and manage details for differentcustomer applications. The system and method may alternatively beimplemented as a single tenant solution, wherein a code profile and/orruntime agent are instantiated and managed for a single applicationwithout reliance of an outside platform. For example, a system couldlocally generate a code profile and then instrument the application witha corresponding runtime agent.

As one potential benefit, the system and method may enable applicationperformance monitoring integrated with security monitoring such thatadministrators can understand performance, usage, and other activitiesfrom a security perspective.

As another potential benefit, the system and method may leverage codeanalysis in combination with runtime behavior detection to achievehigher precision analysis results. Assumptions based on code analysiscan then be checked and validated during runtime, which may be used tospecify uncertainty in the code analysis results but then achieve highercertainty by validating conditions in runtime.

As another potential benefit, the system and method may facilitateenhanced monitoring and awareness of an application. Administrators ofan application can leverage the system and method to obtain high-levelsummaries of activity as it relates to security and to achieve detailedinspection of particular types of activity. As an example of high levelmonitoring of an application, metrics on inputs, outputs, datatypeevents, and/or potential issues could be summarized at a top level of adashboard. As an example of low level monitoring of the application, anadministrator may run a query to inspect how particular pieces ofpersonal identifying information of a user is passed and handled withinthe application.

As another potential benefit, the system and method may facilitateimplementation of machine learning algorithms to automatically improvethe applications. Output of metrics and testing of assumptions based oncode analysis allow for iterative updates of the application. Theseiterative changes of the application with sufficient metric outputs mayallow machine learning algorithms to independently improve anapplication.

As another potential benefit, the system and method may enable morecustomized securing of application. The system and method preferably usethe code profile to monitor and secure the application in response howthe application was designed. In working off of an underlyingunderstanding and interpretation of application operations, the systemand method can more effectively secure a limited attack surface. Thismay result in better security as well as enhanced performance. As itrelates to performance, the system and method can enable a runtime tofocus security protection to portions of execution susceptible tovulnerabilities. As a related potential benefit, the system and methodcan use application integration so as to mitigate the impact of theruntime agent on performance.

Method

As shown in FIG. 1 , a method for securing an application through anapplication-aware runtime agent of preferred embodiment can include:acquiring a code profile S110, instrumenting the application with aruntime agent according to the code profile S120, enforcing the runtimeagent on the execution of the application S130, and optionallyresponding to the runtime agent S140. The method functions to apply codeanalysis of S110 to instrumentation of application code and eventualenforcement in S130 and S140. In particular, enforcing the runtime agenton the execution of the application S130, preferably includes monitoringthe execution flow S132, which comprises of monitoring utilization ofapplication controls through the execution of the application; detectinga security event S134, which comprises identifying a section of theexecution flow as a potential security threat; and regulating theexecution flow S136 to prevent or ameliorate the security threat.Responding to the runtime agent may include responding to the threatS142 and providing a user interface S144.

Block S110, acquiring the code profile, may function to generate and/oraccess some form of code analysis of the application source code.Acquiring a code profile S110 is preferably accomplished with assistanceof a code analysis engine that converts the source code of one or morecode sources of the application into a code profile. The code profilemay have any structure but may be substantially similar to the codeprofile described in U.S. patent application Ser. No. 15/994,076, filedon May 31, 2018, which is hereby incorporated in its entirety. The codeprofile may characterize one or more properties of the code definingoperations of the application. The code profile preferably characterizespossible operation flows between: portions of the code, inputs andoutputs of the application, type of data and handling of data,dependencies, and/or other properties of the code. Acquiring the codeprofile S110 may comprise of generating a code profile as a part of themethod. Alternatively, acquiring a code profile S110 may comprise ofbeing provided or given access to the code profile.

The code profile is preferably generated for a particular scope of code,i.e. a subset of the application source code. The code profile mayalternatively be generated for the entire source code. In this manner asingle application may have multiple code profiles that characterizedifferent portions of the code that may or may not overlap with eachother. For example, different classes, modules, or libraries implementedby an application may have their own code profiles. A nested hierarchyof code profiles can enable someone to see how parts of a code baseimpact a higher order code profile. Additionally, an application mayhave multiple code profiles for different implementations. A codeprofile for “day-use” of the application may be different andcharacterize different parts of the application as compared to a codeprofile implemented by an application developer.

In some variations, an application that requires different libraries,modules, or portions of code may have individual code profiles used togenerate multiple distinct runtime agents that are enforced on thecorresponding portions of application code.

The code profile may function as a manifest interpretation of thecomponents of the code that can have security and functionalimplications. The code profile can preferably be broken down into a setof application controls (herein referred to in brief as controls) thatin combination may encapsulate the attack surface of the code, whereinthe attack surface describes regions of source code that may introducesecurity vulnerabilities into the application. Patterns in various formsand sequences of application controls within the application executionare preferably used to detect a security event, where the applicationcontrol is preferably derived at least in part from the code profile.Acquiring an application code profile can include mapping applicationcontrols of interest. Here, the application controls of interest mayinclude method calls, data type activity, input and output calls, and/orother suitable types of application controls. In some variations,application controls of interest may be a defined sequence ofapplication controls and/or a set of qualifying properties ofapplication controls. Characterizing such patterns and interpretingwhich controls are of significance within the code graph of a codeprofile may be part of mapping the application controls. Controlspreferably include interface channels, data, interaction flows,dependencies, and API elements. Controls may be added or removed as seennecessary. In one example a code profile with a set of controls isprovided for the application (e.g. for commonly used library or webapplications). In another example a user chooses a set of controls andthen generates the code profile as part of the method (e.g. for userwritten code).

In preferred variations, interface channels are a subset of controls.Interface channels may function in characterizing input and outputoperations of the code base of the application. That is, interfacechannels may characterize all the data interaction with the outsideworld.

In preferred variations, interaction flows are also a subset of thecontrols. Each interaction flow may function in tracing a datainteraction with the outside world characterizing the “flow” ofinteraction of the profiled components, such as the data and/orinterface channels.

In preferred variations, dependencies are also a subset of the controls.Dependencies function as external libraries, web applications,functions, etc., that are necessary for the execution of theapplication.

In preferred variations, API elements are also a subset of the controls.API elements may function in representing exposed programmaticinterfaces of the code base. API elements may be particularly applicableto a library, code module, or application that may expose programmaticinterfaces for interaction by other parties. In a library, this caninclude the exposed function calls for user of the library.

In some preferred variations of the code profile, the set of controlsare represented as a set of graphs that characterize operationalrelationships between the set of controls within the set of codesources. In preferred examples the set of controls are represented as acode property graph (CPG) as described in U.S. patent application Ser.No. 15/994,076, filed on May 31, 2018, which is hereby incorporated inits entirety. Alternatively, the set of controls may be representedusing a different graph structure.

The CPG may function in representing operational relationships such thata flow (i.e. traversal of edges of the graph structure) can be tracedthrough the code and its constituent frameworks and libraries. The CPGis preferably a joint data structure or model composed of an abstractsyntax tree (AST) and a series of flow graphs. The AST and the series offlow graphs may each have nodes that exist for each statement andpredicate of the source code. The statement and predicate nodes canserve as a connection point of the graphs when joining to form the CPG.Vulnerabilities and security impact of different events can beinterpreted by inspecting the connection between these nodes.

The CPG preferably enables efficient processing and analysis of thecodebase. The CPG is preferably a serializable data structure, which canenable efficient transmission and distribution of the code profileacross various machines. Easy transmission can enable parallelizedprocessing of the CPG, which can be leveraged in efficient traversal ofthe CPG in analysis of interaction flows between various points ofinterest in the codebase. The CPG can additionally be established fordifferent segments of a codebase. For example, libraries and/orsubcomponents of a codebase may each have a CPG.

An abstract syntax tree (AST) functions in characterizing structure andsyntax of the code. A code parser can create an AST as an ordered treewhere inner nodes represent operators and leaf nodes match operands.

Representing the set of controls as a set of flow graphs is preferably acomponent of acquiring a code profile S110. Representing the set ofcontrols as a set of flow graphs functions in incorporating controls,and the flow of controls, into the code profile. In the preferredvariation, wherein the set of controls includes interface channels,data, interaction flows, dependencies, and API elements; representingthe set of controls as a set of flow graphs may comprise of generating adata flow graph and a control flow graph (as described in U.S. patentapplication Ser. No. 15/994,076, filed on May 31, 2018), wherein thedata flow graph traces the flow of data and the control flow graphtraces the flow of function/method calls. More preferably, representingthe set of controls as a set of flow graphs may comprise converting theset of controls into a succession of method calls and then generating aset of flow graphs as per the control flow graphs. A sequence of methodcalls as indicated by a control flow graph may be used as a condition indetecting security events. Accordingly the runtime agent may use acontrol flow graph to determine which sequences of method calls totrack. When methods execute in the right order that may signify asecurity event.

The control flow graph functions to characterize the functional flow ofexecution within code. The control flow graph can preferably representsequential and/or possible sequences of execution. The control flowgraph preferably characterizes the calls between functions in the codeand/or the conditional branches within the code. For example, astatement preceding an if statement will have an association into the ifstatement or over the if statement within the control flow graph.

Acquiring the code analysis profile S110 may additionally includeestablishing assumptions on a set of implementations, which function tointelligently make predictions on aspects of the application that maynot be readily apparent through just code analysis. The assumed set ofimplementations can later be validated and/or invalidated during runtimeanalysis. Establishing an assumption may include establishinginstrumentation to monitor the possible implementations during runtime.Instrumentation that is invalidated may be later removed but couldalternatively be left in place. As one example, an application mayinclude code that calls a logger. The logger may be a programminglanguage interface that does not contain the actual implementation butinstead contains the API on how to call the implementation. A set ofassumptions can be made on possible implementations that could be usedwith that logger interface. The set of possible implementations can beinstrumented for runtime analysis. This can be implemented bycommunicating more flows than are actually possible in the code profile,but the actual flow implemented during runtime can be validated andreported. In some implementations, the validated assumptions may besaved so that future versions of the code profile can directly use thepreviously validated implementation. Validated implementations may beused over iterations to improve analysis and efficiency. In this mannermachine learning and testing software may additionally be incorporatedwith this method.

Block S120, instrumenting the application with a runtime agent mayfunction in enabling the runtime agent to track and monitor theexecution flow, wherein the execution flow is the trace of the series ofcontrols as they are utilized by the application at execution.Instrumenting the application with a runtime agent S120 may includeintegrating the runtime agent with the application and tagging flows ofthe control in accordance with the code profile.

Instrumenting the application with a runtime agent S120 preferablyintegrates the runtime agent with the execution of the application. Theruntime agent preferably has different modes of operation duringapplication execution: enforcing certain rules, monitoring the flow ofthe set of controls, detecting potential security threats, and reportingthose occurrences.

Depending on the programming language, instrumenting the applicationwith a runtime agent S120 may occur prior to, during, or aftercompilation of the source code. For example, precompiled languages (suchas C) may incorporate the runtime agent prior to or during compilation,while a post compiled language (such as Java) may incorporate theruntime agent at the time of execution. In some preferred variations theruntime agent is written using a cross-platform programming language(e.g. Lua), enabling implementation of the runtime agent withapplications written in multiple programming languages. In thesevariations instrumenting the application with a runtime agent S120 mayinclude instrumenting the application with a language “agnostic” runtimeagent. Alternatively, instrumenting the application with a runtime agentS120 may preferably include instrumenting the application with alanguage specific runtime agent. A language agnostic runtime agent mayenable the use of a single runtime agent with a program that is writtenusing multiple computer languages.

Within a Java-based application, an application can be modified toinclude a runtime agent that is added to a jar. This instrumentationpreferably enables operation metering of that application process.

In C, C#, Golang, and other languages that do not use virtual machines,the runtime agent implementation may use an OS mechanism. For example,LD-preload can be used to insert agent functionality into attempts toaccess OS resources. The communication to the OS calls can be modifiedto track and/or modify actions. In kernel space, Berkeley PacketFiltering (BPF) may be used for security auditing of the runtime agent.

In one implementation, a compiler can be configured to compileapplication code to include jump statements or other suitable calloutfunctionality to perform runtime agent specific operations in connectionwith particular events. Such statements are preferably added to methodcalls and can be used to track the sequence of method calls. In analternative implementation, usable for Golang and possibly applicable toother languages, the instrumenting an application may add nativeinstrumentation through trampolines wherein jump statements are insertedat the beginning or the end of methods. A compiler can be configured toinsert no-op instructions, and later binary modification can theninclude replacing the no-op instructions with jump statements toinstrumentation instructions. The instrumentation instructions arepreferably configured to return execution flow to the location after thejump statement after completion.

Instrumenting of the runtime agent S120 may be specifically configuredin accordance to the codebase of an application. The code profile may beconverted to a runtime model of the code that can be used to instruct anagent on what aspects to instrument (monitor and/or regulate).Instrumenting the runtime agent S120 may include analyzing the codeprofile and thereby identifying a subset of controls vulnerable topotential security events. The entire execution of an application maynot be instrumented, and instead a select portion of application codemay be instrumented to particularly monitor that portion of execution.Controls identified or otherwise selected for instrumentation may beselected based on graph based connections to known vulnerabilitypatterns. For example, controls that involve particular types of data(e.g., personally identifiable information) may be selected.

In addition to tracking and monitoring the flow of the set of controls,instrumenting the application with a runtime agent S120 may furtherenable tracking and monitoring of data associated with the set ofcontrols. Preferably through tagging the execution flow, input data(i.e. payloads) may be analyzed and tracked through the execution flowat runtime. Tagging the execution flow functions to introspect howmethod executions go through the set of controls. For example, theexecution flow of a sales transaction between an HTTP request to adatabase output may be inspected to see if the execution flow used anexecution flow path that was or was not logged, as shown in FIG. 2A.

In one exemplary implementation of instrumentation, atomic compare andswap operations are executed during each control checkpoint (e.g.,method call) and used in setting a flow counter. The atomic compare andswap operation is preferably a single instruction that can be used inimplementing the flow counter mechanism to track execution paths. Thestate of some counter can be compared and selectively updated based onits value. Incorporating flow counters may be used in execution flow. Inone variation, the program code is recompiled (if necessary) to insertthese instructions. In another variation, bytecode from the program codecan be modified to insert these instructions. These variations or othersuitable forms of instrumentation may allow flow tracking with lowoverhead. Multiple flows can be tracked simultaneously in an efficientmanner by devoting an array of flow counters in memory.

An execution flow of interested may be selected and instrumented such asshown in the exemplary execution flow of method calls shown in FIG. 2A.A flow counter may be compared and incremented based on the flow ofexecution control, which may result in a counter ending on differentvalues depending on the particular path. As shown in FIGS. 2B and 2C,the counter comparison and selective incrementing can result indifferent flow counter values depending on the control flow path. Thecounter will undergo different counter increments depending on the pathso that “good” and “bad” paths can be detected. In the case of a “bad”path (i.e., execution flow satisfying a sequence condition associatedwith a security event), a security event can be triggered and acorresponding response taken. This may be used to detect execution flowsthat may expose vulnerabilities such as logging sensitive data shown inFIG. 2C.

Instrumenting the application with a runtime agent S120 may furtherinclude instrumenting for multiple users. Instrumenting for multipleusers functions to create a runtime environment wherein the runtimeagent is integrated into the application identically. Instrumenting formultiple users may reduce overhead by requiring only one implementationof method S120 for all users. Additionally, instrumenting for multipleusers may enable complementary updates to the security and allowmultiple users to work together in monitoring and improving the securityof the application.

Block S130, Enforcing the runtime agent on the execution of theapplication may function to enable the operation of the runtime agentwithin the application during application execution. As mentionedbefore, there may be various modes of operation by a runtime agent thatmay or may not operate simultaneously depending on the use case. Thesemodes may include but are not limited to: monitoring the execution flowS132, detecting potential security threats S134, and regulating theexecution flow S136. Enforcing the runtime agent preferably detectsoccurrence and/or tracks properties relating to security events.Detection and tracking are preferably enabled through theinstrumentation of block S120. Enforcing the runtime agent on theexecution of the application S130 may be implemented with eachindividual execution of an application or may be turned on or off asdesired. Enforcing the runtime agent on the execution of the applicationS130 may function in accordance to the code profile and thecorresponding instrumentation of the application code. Thus, enforcingthe runtime agent on the execution of the application S130 may functiondifferently and dependent on implemented code profile.

Block S132, monitoring the execution flow, is preferably a component ofenforcing the runtime agent on the execution of the application S130.Monitoring the flow S132 functions to track and analyze the utilizationof the set of controls during execution of the application. Monitoringthe execution flow S132 may allow the runtime agent to collect metricsin an agnostic manner as to the good/bad nature of the occurrence. Inthe preferred variation, wherein the set of controls includeinput/output calls, data type activity calls, and method calls;monitoring the flow S130 preferably includes tracking and analyzing:input/output calls, input and output data (i.e. payloads) associatedwith the input/output calls, activity with various types of data, andfunction calls.

Monitoring the flow S132 may include reporting executing flow, which canenable a security operation team to inspect activity of the applicationbased on how the application is structured. Execution flow andcorresponding data such as input/output calls, input and output data,function calls and the like can be logged and reported within a userinterface for analysis and inspection by a user or some computingsystem. The code profile is preferably used in extracting andunderstanding of the application so that activity can be segmented andclassified according to the structure of the code. Segmenting andclassifying according to the structure of the code may further enabletracing security vulnerabilities to specific controls and therebyspecific lines of source code. For example, input activity like requestsmade to different paths on an HTTP port can be tracked as distinctmetrics. As another example, output activity like DB operations made forvarious data types (e.g., sensitive data) can be tracked.

Segmenting and classifying according to the structure of the code mayfurther enable distinguishing and tracing input data. Monitoring theexecution flow S132 preferably includes segmenting and classifyingpayloads and monitoring the interaction with source data type and inputcalls. By monitoring these interactions, the runtime agent may identifyadditional security vulnerabilities that are unique to a payload anddata type interaction. For example, the runtime agent may identify apotential payload attack vector due to the size of payload being beyondthe bounds of the input call variable. In some variations, payloadclassification can be used in combination with other control sequencepattern detection to provide more robust and efficient payload analysis.In this way, the runtime agent can perform targeted payload analysisthat performs regular expression analysis or other forms of data payloadanalysis in situations that satisfy an initial security event condition.In the event where execution flow is considered safe flow (e.g., notflagged or not satisfying some condition), then payload analysis may beomitted (potentially beneficial to performance). In the event whereexecution flow is considered a potentially unsafe flow, then payloadanalysis may be triggered and based on that a second or more serioussecurity event may be triggered. This functions to perform payloadanalysis in portions of code where it may cause harm.

Additionally, a user or outside system may define a new security eventcondition, which may update a security profile dictionary or othersuitable resource used in responding to detectable events of the runtimeagent.

In the preferred variation, wherein the set of controls includes datatype activity, monitoring the execution flow S132 includes monitoringdata type activity. Monitoring data type activity functions to track anddetect activity associated with various types of data, and thus enablesecurity warnings due to mishandling of sensitive data. Monitoring datatype activity is preferably applied to tracking sensitive data such asPII, financial data, passwords, security keys, secrets, health data,and/or other suitable types of sensitive data. Monitoring datatypeactivity preferably involves structuring monitoring for hierarchicalinspection. The runtime agent may track sensitive data activity so thatan administrator can query different data types, portions of anapplication, and/or other scopes. For example, in monitoring datatypeactivity, block S132 may be enabled to expose a search interface whereina user could search for “passwords” to see how passwords are handledwithin the application.

Monitoring the execution flow S132 may additionally or alternativelyinclude extracting general activity information from operation of theapplication. The activity information may be used in providing furthersecurity insights into the operation of the application and lead to moreadvanced iterations of the code profile that are more secure or lead todifferent use cases of the runtime agent. Additionally, general activityinformation may allow insight into better optimizing the application.

Block S134, detecting a security event is preferably a component ofenforcing the runtime agent on the execution of the application S13 o.Detecting a security event S134 functions to determine a potentialsecurity threat, vulnerability, or other type of concerning conditionwithin the application. Detecting a security event S134 may comprise ofthe runtime agent identifying and flagging a section of the executionflow as a potential security threat.

Detecting a security event S134 may be based on interpretations of thecode profile. Depending on the code profile implementation, the codeprofile may have classifying actions and/or collections of actions(section of execution flow) that define potential security threats. Suchpotential security threats may be selected for targeted instrumentationin block S120. Alternatively, security events may be detected throughgeneral instrumentation of application code. Detecting a security eventS134 may detect different and distinct potential security threatsdependent on these distinct code profile implementations.

Detecting a security event S134 may take a more application executionapproach. In understanding the design of the application code, morenuanced security events can be detected than approaches that lack anawareness of the underlying design of an application. Such targeteddetection may particularly utilize tracing of the execution flow.Execution flow may be manifested in tracking sequence of method calls. Aparticular sequence pattern of method calls may be monitored conditionused to detect a security event. Such sequence patterns may includedirect sequential method call patterns. Sequence patterns mayadditionally include patterns characterizing loops and iterations.Detecting a security event S134 may identify a security event by tracingthrough the execution flow and identifying where data is used. In oneexample, user data can be traced through the code profile and used todetect user data being used in MySQL output, identifying a potentialsecurity threat.

Detecting a security event S134 may occur if sensitive data ismishandled. Monitoring of sensitive data may enable detecting a securityevent S134, such as detecting sensitive data being handled by, beingcommunicated to, or otherwise interacting with an insecure output. Forexample, detecting sensitive data being stored in a public log or anunencrypted format may lead to detecting a security event S134. Misusemay include lapses in handling of the data (e.g., communicating in anunencrypted format), communicating to a third party, not sanitizinguser-supplied data before processing, or other forms of misuse.

In preferred variations detecting a security event S134 may identify asecurity event by “looking up” sections of the execution flow in asecurity profile dictionary. The security profile dictionary mayfunction as a repository of vulnerabilities. In preferred variations,the security profile dictionary includes vulnerabilities, their knownexploits (i.e. security threats), and prescribed directions to counterthe known exploits. The security profile dictionary may be applicationspecific and/or a general vulnerability repository. In some variations,a library specific security profile dictionary is maintained andimplemented for sections of the execution flow. An application may havemultiple security profile dictionaries that may or may not overlap. Forexample, an application may have an application specific securityprofile dictionary of its own and also multiple security profiledictionaries for implemented libraries. An application may also havedistinct security profile dictionaries for different use cases. Forexample, one security profile dictionary may be implemented duringsoftware development that focuses on function call threats and includesprescribed directions that are heavily weighted towards giving userfeedback, while another security profile dictionary is implementedduring regular application use that focuses on data input and automatedsecurity responses with minimal user feedback.

The method may additionally include updating a security profiledictionary. Updating a security profile dictionary may be performedautomatically or semi-automatically through monitoring execution of theapplication code (e.g., code interpretation or binary execution).Alternatively, a user like a security ops developer may update thesecurity profile dictionary. For example, after observing the occurrenceof a particular security event, the responding action to that eventoccurrence can be updated to change how it's handled.

Block S136, regulating the execution flow is preferably a component ofenforcing the runtime agent on execution of the application S130.Regulating the execution flow S136 functions to enforce rules on theexecution flow of the application during runtime. Regulating theexecution flow S136 enables the runtime agent to take actions tomitigate and/or prevent vulnerabilities. In particular, a runtime agentmay specifically restrict operations performed on behalf of the codeprofile and/or security profile dictionary. These restricted operationsare preferably based on the security threat exposure as indicated by thecode profile and/or the security profile dictionary, but may be based onapplication optimization or administrator testing.

Regulating the execution flow S136 may include following prescribedrules of the security dictionary. Certain execution flows may beblack-listed within the security profile dictionary. Regulating theexecution flow S136 may block the application from followingblack-listed execution, forcing the application to take a differentexecution path. Black-listed sections of execution flows may correspondto known security vulnerabilities. Alternatively, black-listed executionflows may be implemented in regulating the execution flow S136 fortesting or other purposes. In some examples, specific execution flowsmay be black-listed to prevent behavior that the application was neverintended to perform. For example, forking a process can be dangerous,and so enforcing the runtime agent on the execution of the applicationS130 may identify the forking behavior, by monitoring the flow S132, andproactively prevent such use, by regulating the execution flow S136.

Regulating the execution flow S136 by black-listing and white-listing ofexecution flows may be implemented in the security profile dictionary asdescribed previously, but may additionally and/or alternatively beimplemented as part of the code profile. Black-listing is used herein tocharacterize prohibiting defined execution flows. White-listing is usedherein to characterize explicit permitting of defined execution flows.In one variation, the black-listing of methods or particular sequencepatterns of methods may be set by default, and the code profile may beused to identify potential method calls that an applicationadministrator may want to enable. The administrator could be alerted andprompted to customize the blacklist and/or whitelist if desired.

As described above, the code profile may have portions that include aset of assumed possible implementations. Regulating the execution flowS136 may additionally include validating assumed implementations, whichfunctions to disambiguate and/or confirm the guesses or predictions thatreflect the actual execution of the application. In this way, aspects ofthe application that are unclear through code analysis can be made moreprecise by being combined with runtime analysis. In one variation,execution flow tracking may be used to validate predictions of the codeprofile. For example, the execution of the runtime agent may enable theactual implementation of a set of possible implementations to bedetected. Other techniques can similarly be used in checking theassumptions of the code profile.

Block S140, responding to the runtime agent may function in reacting tothe actions of the runtime agent and optionally enabling user input.Responding to the runtime agent S140 includes responding to the securityevent S142, of any potential security threats determined by detecting asecurity event S134, and optionally providing a user interface S144.Responding to the runtime agent S140 may be implementation specific. Forexample, responding to the runtime agent S140 may be dependent on theset of controls set in the code profile, dependent on the securityprofile library implemented (if any), and/or specifically implementedadministrator rules.

Responding to the security event S142 may function in characterizing thethreat potential of the security event and ameliorating characterizedsecurity events. Characterizing the security event may includedetermining the severity of threat (e.g. general warning, unknownthreat, extreme threat, etc.) and the type of security event (e.g.exposed data, harmful data injection, unstable process, etc.).Ameliorating the security event may then include following prescribedprocedures for the characterized security event and/or reporting thesecurity event. A subset of prescribed procedures, which may include allprescribed procedures, are preferably available in a security profiledictionary. Additionally and/or alternatively, a subset of prescribedprocedures may be implemented in the code profile and/or implemented byan administrator.

The security profile dictionary may define or characterize knownpotential security threats and prescribed procedures to respond tocorresponding security events. Thus, responding to the security eventS142 may include following a defined security profile dictionaryresponse to the identified security event. A variety of types ofresponses may be used. Exemplary types of responses can include loggingoccurrence of the security event, actively blocking execution flow,actively allowing execution flow, altering execution flow (e.g., softlyfailing and issuing a warning or error), updating security settings(e.g., updating a firewall setting), augmenting a data payload (e.g.,sanitizing data payload), and/or taking suitable action.

In preferred variations, responding to the security event S142 furtherincludes updating the security profile dictionary by adding newlydiscovered security events and updating data on previously knownsecurity events. Adding and/or updating security events may include, butnot limited to: adding new sections of harmful execution flow,black-listing or white-listing execution flows, upgrading or downgradingthe threat levels of a specific security event, identifying a specifictype and/or size of a harmful payload, and adding known dangerouspayload injections, and increasing/reducing the verbosity or the numberof warnings given for a commonly observed mild threat. The securityprofile dictionary may be updated automatically and/or may be updated byan administrator. If the method has sufficient information, theresponding to the security event S142 may automatically make thenecessary updates. For example, responding to the security event S142may automatically update general security metrics within the securityprofile dictionary and may black-list a section of execution flow whichincludes a sensitive data type and unencrypted handling of that data.

As described previously, responding to the security event S142 mayenable regulating flows S136 by white-listing and/or black-listingsections of the execution flow. In some variations, white-listing andblack-listing may not initially be implemented, but are implemented overruntime iterations. One example of this would be sending sensitive data.The initial base code may just designate sending the sensitive data to aspecific location without implementing a specific transfer protocol.Once detecting a security event S134 has observed sensitive data sentover an insecure protocol (i.e. identified the section of execution flowcorresponding to the sensitive data and the insecure transfer protocol),responding to the security event S142 may update the security profiledictionary by black-listing the section of execution flow that containsthe sensitive data call and the just implemented insecure transferprotocol. The security profile dictionary may in this manner be updatediteratively each time an insecure transfer protocol is implemented withthat sensitive data call until the sensitive data is only sent over asecure transfer protocol. Alternatively, the security profile dictionarymay white-list a specific execution flow (or a set of execution flows)that contains the sensitive data and a specific secure transfer protocolthereby ensuring the sensitive data is always transferred using thatspecific secure transfer protocol.

In the example where a security event was identified by tracing userdata to a MySQL output, responding to the security event S142 mayinitially include identifying the data and communicating the data to anadministrator, who may then assign handling of such behavior or takeother corrective actions (e.g., updating the application code).Responding to the security event S142 may additionally includeproactively preventing vulnerabilities. For example, an error or othercorrective action may be injected into the attempted use of user data ina MySQL output as described above to prevent such an event.

As an additional or alternative variation, responding to the securityevent may include modifying firewall settings based on clients involvedin the security event. Accordingly, executing a runtime agent caninclude collecting source IP of a client device associated with thesecurity event and submitting the IP to a network firewall. Thisfunctions to proactively block bad actors involved in suspected badbehavior. The network firewall could be a third party outside entity.Alternatively, a firewall may be operated in direct connection to themethod. Preferably, the IP or other identifying parameters of involvedclients/devices (i.e., sources) can be recorded for security events.Within this log of sources, a pattern in the sources can be detectedwithin the security events. This pattern may include a condition of oneparticular IP source being involved in more than a threshold of securityevents within some time window. Other patterns may detect regionalattacks or other suitable patterns.

Block S144, which includes providing an interface, may be a component ofresponding to the runtime agent S140. Providing a user interface,functions to enable access to runtime activity for review of applicationcode execution and/or managing execution of application code via theruntime agent. Providing an interface S144 preferably includes providinga graphical user interface. The graphical user interface can be adashboard accessible through a web application and/or a nativeapplication. The dashboard may show various forms of metrics. In onevariation, responding to the runtime agent can include identifyinginvolved controls within the set of code sources and reporting theinvolved controls through the user interface In another exemplaryimplementation, the dashboard may breakdown input activity, outputactivity, activity for various data types, and/or alerts as shown inFIGS. 3A-3C. Information around the performance and security of anapplication can be inspected. The dashboard is preferably interactiveand can enable querying and customized reporting on various metrics asshown in FIGS. 3D and 3E. For example, an administrator may be enabledto search for a particular data type and inspect how that data type hasbeen handled in the context of the application codebase. The types ofactivity information may additionally be shown in different views. Asshown in FIG. 3E, purchase data involving a particular data center anddatabase destination can be viewed from an application service level.Various alerts or insights can additionally be presented to anadministrator as shown in FIG. 3F, which functions to increaseawareness.

Providing an interface may additionally or alternatively includeproviding a notification interface, an API, and/or an eventing engine.An API such as a REST API or GraphQL API can enable programmaticintegration. The eventing engine can provide a mechanism so thatdifferent events or actions can be triggered in response to differentconditions. The notification interface can enable notifications, alerts,or communications to be triggered in response to activity of theapplication based on execution of the runtime agent. These responses mayinclude all information regarding the code profile and all informationgathered by the runtime agent. In addition to the actual code profile,information about the code profile may include, but is not limited to:control parameters, update history of the code profile, and usercomments. Gathered information from the runtime agent may include, butis not limited to: the traveled execution flow, observed securityevents, security event responses (e.g. execution flows werecircumvented, payload data blocked), list of security events that havehad a response, list of security events that have not been responded to,and security event action recommendations. Alternatively, the user mayset filters to reduce or focus the information received.

The dashboard and/or other interface may additionally enable managementof the runtime agent. An administrator may be enabled to updateconfiguration that defines how the runtime agent augments operation. Forexample, an administrator may be black-list or white-list one, or a setof, execution flows. The administrator may additionally change or updatethe security profile library.

System

As shown in FIG. 4 , a system for securing applications through anapplication-aware runtime agent of a preferred embodiment can include acode profile 110 generated from an application, a runtime agent system120, and an administration system 130. The code profile is preferablygenerated using a code analysis engine 140. The runtime agent system 120is preferably integrated with application code through aninstrumentation system 150. The system preferably implements the methoddescribed above. A preferred implementation of the system offersapplication monitoring as a service to different applications. Thisimplementation can include an account system and/or other supplementarycomponents to facilitate offering of the system as a cloud hostedplatform. Alternative implementations may provide the system as asingle-instance variation that is designed for integration with a singleapplication.

The code analysis engine 140 functions to generate a code profile nofrom source code or a subset of the source code. The code analysisengine 140 may alternatively convert a subset of one or more sourcecodes (referred to as base code) into a code profile no. As manyapplications rely on libraries and open source software, the codeanalysis engine 140 can facilitate generation of a code profile no thatcan account for security impact of third party code bases. For example,the code analysis engine 140 could assess the code bases of various opensource libraries and a main project.

The code profile no is preferably a code property graph (CPG) asdescribed above. The code profile 110 may alternatively be any suitablemodel of the code based on the application code (more specifically, thedevelopment/production application code). In some alternativeimplementations, the system may not include a code analysis engine 140and instead the code profile no is retrieved or produced throughalternative mechanisms.

In one preferred implementation, the code analysis engine 140 preferablyincludes a first code analysis tool that extracts the CPG. The CPGrepresents operational relationships such that execution and data flowcan be traced through the base code and its constituent frameworks andlibraries (i.e. dependencies). The CPG can be used to characterizepotential vulnerabilities. The code analysis engine 140 preferablyincludes a second code analysis tool that traverses the CPG andgenerates a code profile 110 using the relationships and execution anddata flows within the CPG.

The code property graph of a preferred embodiment is a joint datastructure, or model, which may be composed of an abstract syntax tree(AST) subcomponent, a control flow graph (CFG) subcomponent, and a dataflow graph (DFG) subcomponent. The code property graph may alternativelybe characterized using any suitable format. The joint data structure CPGmay include a node for each subcomponent for each subject and predicatethe base code. The CPG preferably enables efficient processing andanalysis of the base code by enabling efficient graph traversals. TheCPG is preferably a serializable data structure, which can enableefficient generation, transmission, and distribution of the code profile110 across various machines. Being easily transmitted can enableparallelized processing of the CPG, which can be leveraged in efficienttraversal of the CPG in analysis of interaction flows between variouspoints of interest in the codebase. A CPG can additionally beestablished for different segments and/or dependencies of the code base.For example, CPGs can be extracted from libraries that are called by thecode base and/or distinct subcomponents of the code base. Extracting aCPG for these different segments may additionally help focus andidentify locations of interest within the code base. For example, alibrary CPG may help identify a code base variable that has gone out ofits valid parameter range.

An AST functions to characterize the structure and syntax of the code.An AST faithfully encodes how statements and expressions are nested toproduce programs. A code parser can create an AST as an ordered treewhere inner nodes represent operators and leaf nodes match operands.

The CFG functions to characterize the functional flow of executionwithin the code as well as conditions that need to be met. The controlflow graph can preferably represent sequential and/or possible sequencesof execution. The CFG is comprised of statement and predicate nodes,which are connected by directed edges to indicate transfer of control. Astatement node has one outgoing edge, and a predicate node has twooutgoing nodes corresponding to true and false evaluation of thepredicate. The CFG preferably characterizes the calls between functionsin the code, the conditional branches within the code, and/or otherelements of control flow. For example, a statement preceding anif-statement will have an association into the if-statement or over theif-statement within the CFG. The CFG may be used to determine theexecution flow in base code.

The DFG functions to show the operations and statements that operate onparticular pieces of data. Traversing the edges of the graph canindicate the flow of data. The DFG can additionally capture possibleoperations.

The AST, CFG, and DFG are preferably combined into a joint datastructure as the CPG. The three graphs AST, CFG and DFG each have nodesthat exist for each statement and predicate of the source code. Thestatement and predicate nodes can serve as a connection point of thethree graphs when joining to form the CPG. Through the threesubcomponents, CPG may contain information about the processed code ondifferent levels of abstraction, from dependencies, to type hierarchies,control flow, data flow, and instruction-level information. Passes overthe CPG may allow inspection of the base code structure, control flow,and data dependencies of each node, and thus traversing and/or makingqueries into the CPG may give better understanding of the code base(e.g. by identifying vulnerability patterns).

The code profile 110 functions as a manifest interpretation of thecomponents of the code, that is to say the application controls, thatcan have security and functional implications. The code profile no maybe generated from the CPG. Code analysis and interpretation of the codeprofile 110 can detect certain parts of the code that have someimplication on the data type, handling of data, and interactions withoutside systems or code, giving contextual understanding of the basecode. An analysis engine may from this select or determine particularsecurity events of interest and/or instrumentation specifications formonitoring of the application code during execution. The code profile110 can preferably be broken down into a set of components that incombination can encapsulate the attack surface of the code. The codeprofile 110 could include components broken down by: interface channels,data, interaction flows, dependencies, and/or API elements. Additionalor alternative components may additionally be used. For example, thecode profile 110 could break down the various interface channels tooutside systems, instances of data of interest, the various interactionflows of data to different interface channels, and dependencies onexternal libraries. Some of the components may be more applicable tocertain types of code bases (e.g., libraries vs. web applications).

The code profile 110 may be generated from CPG using the code analysisengine no. The graph structure of the CPG may convert a code analysisproblem into a graph theory problem, potentially reducing thecomputational power required to solve the problem. That is, because ofthe graph structure code analysis may be done using parallel processingin clusters and allow for more efficient caching of data. Interfaceinteractions of the code profile 110 may be generated by tracing theflow of interfaces on the CFG component of the CPG. Data interactions ofthe code profile no may be determined tracing the flow of data on theDFG component of the CPG. In some variations, where there is a codepolicy, the code profile 110 may be generated conjointly from the CPGand the policy. In these variations, the code analysis engine nogenerates the code profile 110 from the CPG according to thespecifications of the security profile. The CPG can be evaluated againstthe security profile. To this end, the code analysis engine no performsstatic data and flow analysis to determine data and flows in theapplication that violate or otherwise meet conditions or rules of thesecurity profile. The security profile may be a default profile, acustomized security profile, and/or a combination of security profiles.In one variation, a baseline security profile could be used incombination with a customer defined security profile. Parts and/or allof the code policy itself may also be incorporated into the code profileno.

The code profile no may be generated for a particular scope of code, butcode profiles 130 could additionally/and or alternatively exist forsubcomponents of the base code. Thus a code profile no may be generatedfor an entire base code, or for one or more sections of code (e.g. acode profile no for a specific function within the code). Additionally,code profiles 130 may be generated for dependencies of the base code,such as modules, and external libraries that are called on by the basecode. Any other variations or alternatives of the base code and/or basecode dependencies may also be implemented to generate a code profile no.Additionally, nested hierarchies of code profiles 130 may also begenerated, wherein potentially overlapping code profiles 130 for asubset of the base code and/or a code profile no for the entire basecode are created. Nested code profiles 130 can enable someone to see,with greater focus, the impact of sections of the base code.

The interface channels function to characterize the input/outputassociated operations of the codebase. Interface channels may representevery way the base code interacts with the outside world. The interfacechannels of the code of interest are preferably described within thecode profile 110. A codebase (or process) will have at least oneinterface channel component if the codebase has a statement establishingcommunication with an outside system. An interface channel component canoutput data to an outside system and/or receive data from an outsidesystem. An interface channel could be contained directly within thecodebase (e.g., a process of the codebase accesses or interacts with anetwork, database, file, etc.) or indirectly (e.g., a used library ormodule accesses or interacts with a network, database, file, etc.).

In one implementation, interface channels can be identified bystatements that are tagged or detected to perform some action with anoutside system. The system may include a library of pre-taggedstatements that the code profiler may use. Statements triggering systemcalls and/or other types of statements could be tagged as such.Generally, an interface channel can be detected by traversing the CFGfrom system call statements or other tagged statements and incorporatedinto the code profile 110. For example, an application could be detectedto make use of a set of interface channels by tracing associationsthrough libraries and frameworks to underlying system calls.

System calls are functionality exposed by the underlying operatingsystem. There is usually a well-defined way for a language to interactwith the underlying operating system. System calls are preferablyincorporated into the code profile no. System calls cannot be accesseddirectly by user programs, and are generally only accessed by kernelcode. For example, the Linux kernel for the x86_64 processorarchitecture provides over 300 system calls. When a system call is made,there is a transition from user space to kernel space, which runs at amore privileged level. Arguments to the system call are copied into thekernel space and validated to ensure they do not compromise the kernel.However, it is highly likely that the parameters were validated in userspace as well. In some cases the user space functions will be thinwrappers over the kernel functions, in other times they'll provideadditional features on top.

Instances of interface channel components can have attributes such as atype, read/write mode indication, description, address, method,protocol, data received, data sent, channels received from, channelssent to, and/or other suitable attributes.

The type of interface channel can be classified based on the type ofinteraction with an outside system. Five preferred types of interfacechannels can include: network, database, file, commands, and logging. Byinspecting the interface channels of a code profile 110, one could seeif some type of network access, database access, file, access, andcommand access is used. The code profile no could then break downinterface channels of different processes by the type of interfacechannel. A network interface channel can be indicated by a statementusing a webs route, a 3rd party API, reading from or writing to a queueor nearlines storage, and/or any other suitable network interaction. Adatabase interface channel can be indicated by statements that performinteractions with a database. In some implementations, databaseinterface channels may be combined with network interface channels. Afile interface channel can be indicated by statements that read or writeto a file system. Similarly, file interface channels could be a type ofnetwork interface channel (e.g., if a network file system), but canpreferably be included as its own type, especially for local file systeminteractions. A command interface channel can be indicated by statementsmaking commands to a database, to a file system, and/or other suitabletypes of commands. A logging interface channel can be indicated bystatements that write data or generates reports of data, events,communications and/or other aspects in a system.

The data components function to identify particular types of data. Thedata components called out are preferably data that may have an impacton the attack surface of the code base. Data components will have anumber of attributes such as type, template, and name.

The types of data components can include data classifications such asattacker controlled, sensitive data (credit card numbers, SSN, etc.),secrets (e.g. credentials, passwords, etc.), user data, personalidentifiable information, user generated data, internal data, publicdata, and the like. The type of data component can be determined throughpattern recognition on the codebase. Preferably, natural languageprocessing can analyze class names, object names, structure names,variable names, runtime value patterns, data validation patterns,comments, documents, and/or other aspects to classify data. A templateproperty can indicate the type of object such as a class, object,structure, variable, or other form of data. Additionally, a datacomponent can include attributes to indicate data flow to an interfacechannel, from an interface channel, to an interaction flow, or from aninteraction flow. A data component could additionally include anattribute indicating if it is protected by authentication/authorizationlayer and the type or properties of protection (e.g., form basedauthentication, basic authentication, 2-factor, token based, handlingpassword resets, OAuth & OAuth 2, JWT, password strength policy, sessioncookie, crypto strength, etc.).

Sensitive data is preferably a data type of interest. Sensitive data mayinclude credit card numbers, pin codes, SSNs, etc. Using naturallanguage processing techniques and a default dictionary of indicativeterms, sensitive data types may be identified by their name. Taggingdirectives may additionally be used to mark data as sensitive.

The interaction flow components function to represent the interaction ofthe profiled components such as the data and the interface channels.Interaction flows of the base code may be extracted to the code profilegraph. Tracing the CFG of the code profile graph may allow tracking theflow of execution and tracing the DFG may allow tracking data, datarelationships, and all uses of variables. By traversing the CFG and theDFG the flow data may be incorporated within the code profile 110.Depending on the modeling architecture, the flows can be modeled asindependent components or as properties of the data and/or interfacechannels as was indicated above. An interaction flow can indicate theinteraction channels from which data flows or to which data flows.

The dependency components function to represent the library, module, orother codebase dependencies. Dependencies may, additionally oralternatively, include internal dependencies. Dependencies may beincorporated within the code profile no from the CPG. Each dependencycomponent may have attributes indicating properties like if itsdeprecated, classified as insecure or vulnerable, bus factored (highvolume of committers added/leaving), unmaintained, license violation, oroutdated.

The API components function to represent the exposed programmaticinterfaces of the codebase. API components may be generated into thecode profile 110 from the CPG. API components can be particularlyapplicable to a library, code module, or application that may exposeprogrammatic interfaces for interactions by other parties. In a library,this can include the exposed function calls for users of the library.

The code profile 110 can additionally include codebase metadata such aslanguage, type, framework (e.g., web-app or library), lines of code,committers, open issues, pending PRs, test coverage, and/or otherproperties.

The code profile 110 can additionally include additional or alternativecomponents. In one variation, attributes of the code profile 110 may beabstracted into more user-accessible concepts. These higher-levelconstructs could be represented in the code profile no. For example,compliance analysis or other forms of conclusions could be representedin these higher-level components.

The code profile 110 can offer a tangible artifact that is usable inunderstanding the nature of a base code. The code profile 110 can have adata-oriented representation, which could be accessible for programmaticinteractions. The code profile 110 could additionally have a translatedgraphical representation that reflects properties of the code profile noin a way more easily observed by a user. This graphical representationcould be presented in a dashboard or other suitable interface.

The runtime agent system 120 functions to integrate with the operationof the application. The runtime agent system 120 collects data and insome variations may augment operation. The runtime agent is preferablydeployed along with the application process that is the result ofcompiling and running the source code. The runtime can preferablyenforce policy that is customized to the code profile 110 of thecodebase. The runtime agent may additionally use the code profile 110 totake and draw conclusions about the system to facilitate runtimemonitoring without inordinate amounts of time building a model. As shownin FIG. 5 , multiple application processes or instances may haveindividual agents that callback to a monitoring proxy. The monitoringproxy collects process information and then communicates with a remotecloud platform. A runtime agent instance may alternatively directlycommunicate with a remote platform.

The runtime agent system 120 is preferably enabled through aninstrumentation system 150 that acts to instrument application code oran executable originating from application code. The instrumentationsystem 150 may include or coordinate with a compiler so as to augmentthe execution of the application to trigger or call out to trackingoperations. In one implementation, the runtime agent functions to logand record the occurrence of different control-related events. Amonitoring service may monitor the control records to detect particularscenarios and thereby triggering various security events.

The administration system 130 functions to provide one or moreinterfaces to the collected activity and interpretation of the activity.The administration system 130 is preferably hosted in a remote cloudplatform, but may be implemented as a local service or application. Asdescribed above, the administration system may include various types ofinterfaces such as a dashboard, a notification interface, an API, aneventing engine. The administration system 130 may be used for accessingor reviewing status of execution of the application as reported by theruntime agent. The administration system may additionally oralternatively be used in managing or controlling aspects of the runtimeagent such as configuring a security profile dictionary or otherparameters of agent operation.

The systems and methods of the embodiments can be embodied and/orimplemented at least in part as a machine configured to receive acomputer-readable medium storing computer-readable instructions. Theinstructions can be executed by computer-executable componentsintegrated with the application, applet, host, server, network, website,communication service, communication interface,hardware/firmware/software elements of a user computer or mobile device,wristband, smartphone, or any suitable combination thereof. Othersystems and methods of the embodiment can be embodied and/or implementedat least in part as a machine configured to receive a computer-readablemedium storing computer-readable instructions. The instructions can beexecuted by computer-executable components integrated with apparatusesand networks of the type described above. The computer-readable mediumcan be stored on any suitable computer readable media such as RAMs,ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives,floppy drives, or any suitable device. The computer-executable componentcan be a processor but any suitable dedicated hardware device can(alternatively or additionally) execute the instructions.

As a person skilled in the art will recognize from the previous detaileddescription and from the figures and claims, modifications and changescan be made to the embodiments of the invention without departing fromthe scope of this invention as defined in the following claims.

We claim:
 1. A method for securing an application comprising: convertinga set of code sources of the application to a code profile as a set offlow graphs that includes at least a data flow graph and a control flowgraph and that characterizes controls within the set of code sources;mapping controls of interest within the code profile by identifyingsequences of controls in the set of flow graphs that are associated withdetection of a potential security event; instrumenting the applicationwith a runtime agent according to the code profile, whereininstrumenting comprises augmenting the execution of the controls ofinterest in the application to trigger tracking operations duringexecution of the application; enforcing the runtime agent on theexecution of the application comprising: tracking execution flow thecontrols of interest through triggered tracking operations, anddetecting a security event based at least in part on a detected sequenceof execution flow associated with the security event.
 2. The method ofclaim 1, wherein the controls of interest comprise method calls,datatype activity calls, user defined vulnerabilities, and input andoutput calls.
 3. The method of claim 1, wherein monitoring the executionflow further comprises of monitoring data input during the execution ofthe application.
 4. The method of claim 3, further comprising respondingto the security event, which comprises segmenting and classifying a datapayload of the execution flow and monitoring the interaction with sourcedata type and input calls.
 5. The method of claim 1, wherein the runtimeagent is language agnostic, thereby executable in multiple programminglanguages.
 6. The method of claim 1, wherein detecting the securityevent further comprises looking up a section of the execution flow in asecurity profile dictionary; and responding to the security eventfurther by updating the security profile dictionary.
 7. The method ofclaim 1, further comprising responding to the security event, whichcomprises as part of enforcing the runtime agent, proactively regulatingthe execution flow and preventing sequential utilization of controlsassociated with the security event.
 8. The method of claim 1, furthercomprising responding to the security event, which comprises reactivelyregulating the execution flow and preventing sequential utilization ofcontrols associated with the security event.
 9. The method of claim 1,further comprising responding to the security event, which comprises ofidentifying involved controls within the set of code sources andreporting the involved controls through a user interface.
 10. The methodof claim 1, further comprising responding to the security event, whichcomprises of showing portions of the set of code sources that led todetecting the security event.
 11. The method of claim 1, furthercomprising responding to the security event, which comprises blockingexecution flow associated with the security event.
 12. The method ofclaim 1, further comprising responding to the security event, whichcomprises modifying firewall settings based on clients involved in thesecurity event.
 13. The method of claim 1, further comprising respondingto the security event, which comprises generating a security eventnotification.
 14. The method of claim 1, wherein detecting the securityevent comprises identifying a section of the execution flow definedwithin a security profile dictionary; and responding to the securityevent by selectively performing at least one of the following: locatingthe application controls and external inputs that led to detecting thesecurity event, preventing sequential utilization of controls associatedwith the security event, sending an alert regarding the security event,and providing a user interface that outputs runtime agent diagnosticsand security event alerts and enables user control of the runtime agent.15. The method of claim 1, wherein augmenting the execution of thecontrols of interest in the application to trigger tracking operationsfurther comprises augmenting execution of controls of interest toincrement a counter conditional on the execution flow between controlsof interest, wherein the counter increments differently depending on ifthe execution flow satisfies a sequence condition associated with asecurity event.
 16. The method of claim 15, wherein augmenting theexecution of the controls of interest in the application comprisesinserting atomic compare and swap instructions at the controls ofinterest to conditionally increment the counter based on sequence ofexecution path through instrumented controls.
 17. The method of claim15, wherein augmenting the execution of the controls of interest in theapplication comprises inserting jump statements into method calls of thecontrols of interest, wherein the jump statements conditionallyincrement the counter based on sequence of execution path throughinstrumented controls.
 18. The method of claim 1, wherein augmenting theexecution of the controls of interest in the application comprisescompiling the set of source codes to add the tracking operations tocontrols of interest.
 19. The method of claim 1, wherein detecting thesecurity event is further based upon, if a sequence of execution flow isassociated with a security event, analyzing data payload and detectingthe security even based on payload analysis.